dynamic design solutions

Search form

Main menu

How to secure an Ubuntu 12.04 LTS server - Part 1 The Basics

Submitted by The Fan Club on Thu, 2012-05-17 13:06

This guide is based on various community forum posts and webpages. Special thanks to all. All comments and improvements are very welcome as this is purely a personal experimental project at this point and must be considered a work in progress.

This guide is intended as a relatively easy step by step guide to:

Harden the security on an Ubuntu 12.04 LTS server by installing and configuring the following:

Install and configure Firewall - ufw

Secure shared memory - fstab

SSH - Key based login, disable root login and change port

Apache SSL - Disable SSL v3 support

Protect su by limiting access only to admin group

Harden network with sysctl settings

Disable Open DNS Recursion and Remove Version Info - Bind9 DNS

Prevent IP Spoofing

Harden PHP for security

Restrict Apache Information Leakage

Install and configure Apache application firewall - ModSecurity

Protect from DDOS (Denial of Service) attacks with ModEvasive

Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban

Intrusion Detection - PSAD

Check for RootKits - RKHunter and CHKRootKit

Scan open Ports - Nmap

Analyse system LOG files - LogWatch

SELinux - Apparmor

Audit your system security - Tiger

Requirements:

Ubuntu 12.04 LTS or later server with a standard LAMP stack installed.

1. Firewall - UFW

A good place to start is to install a Firewall.

UFW - Uncomplicated Firewall is a basic firewall that works very well and easy to configure with its Firewall configuration tool - gufw, or use Shorewall, fwbuilder, or Firestarter.

12.Protect from DDOS (Denial of Service) attacks - ModEvasive

13. Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban.

DenyHosts is a python program that automatically blocks SSH attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.

Open a Terminal and enter the following :

sudo apt-get install denyhosts

After installation edit the configuration file /etc/denyhosts.conf and change the email, and other settings as required.

If you have selected a non-standard SSH port in step 3 then you need to change the port setting in fail2ban from ssh which by default is port 22, to your new port number, for example if you have chosen 1234 then port = 1234

When done with the configuration of Fail2Ban restart the service with :

sudo /etc/init.d/fail2ban restart

You can also check the status with.

sudo fail2ban-client status

14. Intrusion Detection - PSAD.

Cipherdyne PSAD is a collection of three lightweight system daemons that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.

Currently version 2.1 causes errors during install on Ubuntu 12.04, but apparently does work. Version 2.2 resolves these issues but is not yet available on the Ubuntu software repositories. It is recommended to manually compile and install version 2.2 from the source files available on the Ciperdyne website.

16.Scan open ports - Nmap.

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.

Open a Terminal and enter the following :

sudo apt-get install nmap

Scan your system for open ports with :

nmap -v -sT localhost

SYN scanning with the following :

sudo nmap -v -sS localhost

17.Analyse system LOG files - LogWatch.

Logwatch is a customizable log analysis system. Logwatch parses through your system's logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems.

Open a Terminal and enter the following :

sudo apt-get install logwatch libdate-manip-perl

To view logwatch output use less :

sudo logwatch | less

To email a logwatch report for the past 7 days to an email address, enter the following and replace mail@domain.com with the required email. :

18. SELinux - Apparmor.

National Security Agency (NSA) has taken Linux to the next level with the introduction of Security-Enhanced Linux (SELinux). SELinux takes the existing GNU/Linux operating system and extends it with kernel and user-space modifications to make it bullet-proof.

This is a nice tutorial, quick and easy, less explained, thanks for that!
What i missed here also is the security of email services like postfix and generally a anti virus tool.
I mean use of clamav, postgrey and so on. It would be nice if you spent time to write a part for that ;-)
One that i believe is also required for good security is to install suhosin for php.
It would be nice if you add it to this guide, and how to configure it with minimal settings.
Also speak about disabling/enabling modules in php that are mostly not used, or modules which can be turned off and on for special applications.
Another thing i ever see is enabled mods in apache that nobody uses (which can be simply disabled).
It would be nice if you speak about what is really needed, and how to disable/enable unused ones.
ModEvasive is also not really needed in favour of ModSecurity, which can also do DDoS prevention for you.
I did not test the rules of OWASP CRS yet since they are stated as experimental, but they look clear to me.
Take a look to file "modsecurity_crs_11_dos_protection". I use similar ones in production environment...

Thank you very much for this great guide! I love it!
Unfortunately ive encountered a problem with my webserver... right after enabling ufw the time to delivering a pages went up from 1 Second to 7 seconds. This effect disappears if i am disabling ufw... Does anyone encountered a similar effect / has anyone a tip for me what it could be?
With kind regards
joschi

Thanks for this great tutorial! I'm an Ubuntu Fan! A lot of the information you've shared is great for a start up server. You might want to consider giving a small explanation in regards to protection against local attacks as well. Some of the configurations may differ if running both intranet and internet base applications for most major companies such as call centers running ERP or CRM apps. Great job and I'm looking forward to more of your tutorials! :)

Thank you very much. It is very nice handling. But i can't access all my web sites without domain names. Because these sites run on some folder ports. How can i access an edit my web sites. Every sites used to run on port 80. Now the server shows me that "Forbidden You don't have permission to access / on this server." kk please help me. Thanks again.

If you have installed modsecurity then that is probably why you cannot access your sites. The default security rules do not allow sites like Drupal and Wordpress to run without disabling some rules first. See http://www.thefanclub.co.za/how-to/how-disable-modsecurity-rules-drupal-and-wordpress

Very comprehensive article, and much appreciated for the time taken putting it together. I followed all the way down to installation of RKHunter and CHKRootKit, but didn't feel that I would need the few extra components beyond this section.
However, it seems that something is now causing my webserver to be serving up "403 Forbidden" response codes when bringing up any site. Any idea what might be causing this, and what action to take to correct?

Hi really great tutorial!!it looks really good.
I had only some problem:
1. for mod_security i have to download version v2.2.5 and then all works fine
2. After install mod-security my localhost say Forbidden access
How i can resolve it?
Thanks a lot
Leonardo

Thank you very much for these guidelines ! It's thorough and clean.
I must however say that the point "2. Secure shared memory" caused my VPS to freeze on boot-time and I spent 5 days tracking the problem (I'm a noob in sysadmin...). Mostly because I did not reboot my machine for 15 days AFTER doing this tutorial so it was difficult to remember all that I had done in between....I went backwards until I hit it.
So do not blindely copy each line without comprehending what you are doing (that seems obvious but I'm sure a lot of noobs like me are coming here so I must comment to maybe help others in the future), and I would advise rebooting your machine regularly between changes to ensure that you've not broken anything. You can always use rescue mode afterwards.

Thanks so much for this awesome guide, it's really helpful! Just two things....first, for the firewall I would also mention that controlling access via iptables may also be enough. Also, I was going to change my SSH port but I read this article about why it's a bad idea to do that and changed my mind: https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/
Beside that, super neat guide thanx!

I was in the middle of an attack. The attackers just kept flooding my server until it was becoming unresponsive. I was just searching and searching what to do to protect the server until I found this page, and followed the steps and.. just solved! Everything started to run smoothly like the attackers never existed. Thank you!